Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

South Korea Joins APEC Cross-Border Privacy Rules System

shutterstock_159695624On Monday, June 12, South Korea became the latest country approved to officially join the Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR) system.  It is the fifth APEC economy to participate in the system, joining the United States, Canada, Japan, and Mexico.  To date, twenty companies—including Apple, Cisco, HP, IBM, Rackspace, and Workday—have been certified under CBPR. Continue Reading

Posted in International/EU Privacy

UK to Align Itself with the GDPR Despite Brexit

UK Flag“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”.  This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection.  Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one. Continue Reading

Posted in Cybersecurity & Data Breaches

Malware Capable of Shutting Down Electric Grids Confirmed

shutterstock_113929936Malware was recently identified that appears to have been designed and deployed by a nation-state to target and shut down electric grids.

According to published reports, this malware currently appears to be capable of attacking the European grids, and parts of the Middle East and Asia grids, by targeting the specific industrial control system (ICS) network protocols used to operate those grids. With small modifications, the malware reportedly also appears to be capable of attacking the North American power grid, as well as other industries that use ICS networks (e.g., oil, gas, water, data) around the globe.

Continue Reading

Posted in Consumer Privacy, Privacy & Security Litigation

Court Stops Pokémon GO Litigation

iStock_000075156711_XXXLarge1In May, a Florida state court dismissed a plaintiff’s claim that the terms of service for popular mobile game Pokémon GO violated Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA).  The case illustrates how establishing injury continues to be a key hurdle for plaintiffs in litigation involving online services, and shows that a well-framed choice of law provision can help protect providers of online services.

Continue Reading

Posted in Cybersecurity & Data Breaches

Federal Financial Institutions Examination Council Releases Updated Cybersecurity Assessment Tool

shutterstock_445200349The Federal Financial Institutions Examination Council (FFIEC) recently released an updated version of its Cybersecurity Assessment Tool (CAT), which, according to FFIEC, is designed to help the financial institutions voluntarily using the tool to “identify their cyber risks and determine their cybersecurity preparedness.” We explore the changes to the CAT in this post.
Continue Reading

Posted in Privacy & Security Litigation

Supreme Court to Hear Location Privacy Case

000017164817_Newsletter_CoverOn Monday, the Supreme Court granted certiorari in Carpenter v. United States, a Sixth Circuit case that provides the Court with the opportunity to clarify whether individuals have a reasonable expectation of privacy in location data shared with electronic communications service providers. Specifically, the Court will consider whether the Fourth Amendment requires law enforcement to obtain a warrant for the search and seizure of wireless carriers’ cell phone data that reveals the cell phone user’s location over the course of several months; or whether such location information falls within the long-recognized “third-party doctrine” exception to Fourth Amendment protections. A definitive Supreme Court holding on these issues could clarify presently muddled case law surrounding cell-site tracking data and perhaps inform judicial interpretations of privacy torts and other issues related to the collection, use, and sharing of location data. Continue Reading

Posted in International/EU Privacy

EU ePrivacy Regulation Proposal Falls Short of Parliament’s Expectations

shutterstock_356121362The European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs commissioned a study to assess the European Commission’s January 2017 draft e-Privacy Regulation; the study was published by the European Parliament on 1 June 2017. The e-Privacy Regulation aims to harmonise privacy rules across the EU in the area of electronic communications, but the study has found that the draft e-Privacy Regulation does not as far as the GDPR in some respects. This contrasts with many other views expressed publicly, which regarded the Commission’s draft as a tightening of the GDPR regime.  A central theme of the study, which was carried out by academics of the IViR Institute for Information Law, University of Amsterdam, is the need to protect privacy of correspondence regardless of medium or any other factor.  The EU legislative institutions are urged to pay extra attention to four areas in which it is felt that there is insufficient protection of the right to privacy and confidentiality of communications: Continue Reading

Posted in Consumer Privacy

GAO Report Highlights Security, Privacy, and Governance Challenges of the Internet of Things

shutterstock_314652596In May 2017, the Government Accountability Office (GAO) released a technology assessment of the Internet of Things (IoT) for Congressional members of the IoT Caucus. The GAO report offers an introduction to IoT; reviews the many uses and their associated benefits that connected devices may bring to consumers, industry, and the public sector; and highlights the potential implications of the use of IoT, including information security challenges, privacy challenges, and government oversight. The report also identifies areas of apparent consensus among experts regarding the challenges posed by IoT, though the appropriate responses are disputed. Accordingly, the report may act as a foundation for future policymaker discussions about regulating IoT.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity June 2017 Events

Please join us for our June 2017 Privacy and Cybersecurity Events.

June 7
FTC and State Consumer Protection Enforcement
Bret Cohen will present a webinar on “Consumer protection enforcement is #trending: How to avoid FTC and state investigations, and what to do when you get the knock on the door.” Recent developments and enforcement trends in data privacy and security, advertising and endorsements, and claim substantiation in practice before the FTC and state authorities will be discussed.
Location: To register, click here.

 

June 7
Cyber Breach Response for In-House Counsel
Harriet Pearson, Tom Connally, and Jon Talotta will present a session for the Association of Corporate Counsel on “Cyber Ethics: Ethical perils, pitfalls, and paths forward for in-house counsel responding to a cyber breach.” Topics to be examined will include ethical guideposts for internal cyber breach investigations, attorney-client privilege and work product protections, and the ethics of breach notification.
Location: Hogan Lovells’ office in Northern Virginia. To register, click here.

 

June 7
GDPR Compliance for Security Professionals
Eduardo Ustaran will discuss how IT and security teams can prepare to comply with GDPR in a session on “Navigating Infosecurity’s Role in GDPR Compliance” at Infosecurity Europe.
Location: London, England

 

Continue Reading

Posted in International/EU Privacy

China’s Revised Draft Data Localisation Measures

shutterstock_293627249On 19 May 2017, the Cyberspace Administration of China (the CAC) released a revised draft of its Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures (the Second Draft Export Review Measures).

The draft emerged just over a week after public comments closed on the first draft of the measures, which we discussed in our earlier briefing here (the First Draft Export Review Measures).  There was a significant volume of industry commentary, and the Second Draft Export Review Measures do, to some extent, relax some of the more stringent requirements stated in the First Draft Export Review Measures originally due to become law on 1 June, 2017 when China’s Cyber Security Law takes effect.  However, the revised draft measures as set out in the Second Draft Export Review Measures still leave a significant compliance challenge for multi-national corporations operating in China (MNCs). In addition, the test for when a data localization requirement will kick in has not really changed under the Second Draft Export Review Measures — the fundamental position remains that without security review approval and clearance data cannot be exported and must be (logically) stored in China.

Continue Reading